Europe’s digital backbone is increasingly under strain as cyber sabotage, ransomware and foreign interference become a daily reality.
In response, the European Commission has unveiled a far-reaching overhaul of the Cybersecurity Act, setting out a new strategy to secure technology supply chains, reduce exposure to high-risk vendors and reinforce the EU’s collective ability to prevent and respond to cyber crises.
The proposals mark a shift from fragmented defences to a more coordinated, security-by-design approach aimed at protecting critical services, businesses and citizens across the bloc.
The proposed reforms aim to future-proof the EU’s digital ecosystem by strengthening supply chain security, simplifying business rules, and significantly expanding the role of the EU Agency for Cybersecurity (ENISA).
Together, this new cybersecurity package is designed to strengthen Europe’s resilience in an era where cyber risk is no longer purely technical, but strategic.
A strategic response to a shifting threat landscape
Recent cyber incidents have exposed how deeply Europe’s economies and societies depend on secure information and communication technologies (ICT).
Vulnerabilities in software, hardware and managed services can ripple across borders, disrupting critical infrastructure from energy and transport to healthcare and finance.
The revised Cybersecurity Act acknowledges that supply chain security now extends beyond product flaws to include supplier dependencies, foreign interference and geopolitical risk.
In response, the Commission is proposing a trusted ICT supply chain security framework built on a harmonised, risk-based approach that can be applied consistently across the EU’s 18 critical sectors.
This framework will allow the EU and Member States to jointly identify and mitigate risks, while balancing security needs with economic impact and market supply considerations.
Derisking high-risk suppliers from critical networks
One of the most consequential elements of the Cybersecurity Act is its focus on reducing exposure to high-risk third-country suppliers, particularly in mobile telecommunications.
Building on existing work under the EU’s 5G security toolbox, the revised legislation would enable mandatory derisking measures where suppliers pose significant cybersecurity concerns.
This marks a shift from voluntary coordination to enforceable action, reflecting growing recognition that strategic dependencies in ICT infrastructure can translate into systemic security vulnerabilities.
Faster, simpler cybersecurity certification for Europe
To ensure that products and services reaching EU citizens are secure by design, the revised Cybersecurity Act overhauls the European Cybersecurity Certification Framework (ECCF).
Certification schemes will, by default, be developed within 12 months, replacing slower and more complex processes.
Governance of the framework will become more transparent and inclusive, with stronger stakeholder involvement and public consultation.
Managed by ENISA, certification will remain voluntary but practical, enabling businesses to demonstrate compliance with EU cybersecurity legislation while reducing administrative costs.
Importantly, certification will go beyond traditional ICT products and services. Organisations will also be able to certify their overall cyber posture, helping them meet market expectations and build trust across complex supply chains.
For EU businesses, the ECCF is positioned as a competitive advantage; for consumers and public authorities, a guarantee of security and reliability.
Cutting red tape and clarifying compliance
Alongside the Cybersecurity Act, the Commission has proposed targeted amendments to the NIS2 Directive to ease compliance burdens. These changes are expected to benefit around 28,700 companies, including more than 6,000 micro and small enterprises.
A new category of small mid-cap enterprises will lower compliance costs for a further 22,500 companies. The amendments also aim to clarify jurisdictional rules, streamline ransomware data collection and improve oversight of cross-border entities, with ENISA taking on a stronger coordinating role.
Together, these measures complement the proposed single-entry point for incident reporting under the Digital Omnibus.
ENISA’s expanding role at the heart of EU cyber defence
Since the first Cybersecurity Act in 2019, ENISA has become a cornerstone of Europe’s cyber defence architecture.
The revised Act significantly expands its mandate, enabling the agency to issue early warnings on emerging threats, support responses to ransomware attacks and improve vulnerability management across the Union.
Working with Europol and national Computer Security Incident Response Teams, ENISA will also help organisations recover from major incidents.
Beyond crisis response, the agency will invest in long-term resilience by piloting a Cybersecurity Skills Academy and rolling out EU-wide skills attestation schemes to address the growing talent gap.
Reinforcing EU cybersecurity
Once approved by the European Parliament and the Council, the Cybersecurity Act will apply immediately. Member States will then have one year to transpose the accompanying NIS2 amendments into national law.
As cyber threats continue to evolve daily, the revised Cybersecurity Act represents the EU’s most ambitious effort yet to secure its digital future – turning resilience, trust and coordination into strategic assets for Europe.
